From 61f9c8d4daf01a10b8f171f273407b46f9ba9054 Mon Sep 17 00:00:00 2001
From: Eric Windisch <eric@windisch.us>
Date: Sun, 21 Jun 2015 13:18:19 -0400
Subject: [PATCH] Do not generate/load AppArmor profiles

Profiles for AppArmor should be specified by consuming
applications. A one-size-fits all policy specific to Docker
does not belong in libcontainer.

This change eliminates loading of the policy from libcontainer.
It also eliminates the check for the userland tools as these
were only needed for libcontainer's policy loader. Applying
profiles does not require the userland tools and some
systems may, in fact, have functional AppArmor without
having these tools on the host.

Signed-off-by: Eric Windisch <eric@windisch.us>
---
 apparmor/apparmor.go |  6 ++--
 apparmor/gen.go      | 83 --------------------------------------------
 apparmor/setup.go    | 46 ------------------------
 3 files changed, 2 insertions(+), 133 deletions(-)
 delete mode 100644 apparmor/gen.go
 delete mode 100644 apparmor/setup.go

diff --git a/apparmor/apparmor.go b/apparmor/apparmor.go
index 18cedf6a1..3be3294d8 100644
--- a/apparmor/apparmor.go
+++ b/apparmor/apparmor.go
@@ -14,10 +14,8 @@ import (
 
 func IsEnabled() bool {
 	if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
-		if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
-			buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
-			return err == nil && len(buf) > 1 && buf[0] == 'Y'
-		}
+		buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
+		return err == nil && len(buf) > 1 && buf[0] == 'Y'
 	}
 	return false
 }
diff --git a/apparmor/gen.go b/apparmor/gen.go
deleted file mode 100644
index 653bf34d3..000000000
--- a/apparmor/gen.go
+++ /dev/null
@@ -1,83 +0,0 @@
-// +build linux
-
-package apparmor
-
-import (
-	"io"
-	"os"
-	"text/template"
-)
-
-type data struct {
-	Name         string
-	Imports      []string
-	InnerImports []string
-}
-
-const baseTemplate = `
-{{range $value := .Imports}}
-{{$value}}
-{{end}}
-
-profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
-{{range $value := .InnerImports}}
-  {{$value}}
-{{end}}
-
-  network,
-  capability,
-  file,
-  umount,
-
-  deny @{PROC}/sys/fs/** wklx,
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/mem rwklx,
-  deny @{PROC}/kmem rwklx,
-  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
-  deny @{PROC}/sys/kernel/*/** wklx,
-
-  deny mount,
-
-  deny /sys/[^f]*/** wklx,
-  deny /sys/f[^s]*/** wklx,
-  deny /sys/fs/[^c]*/** wklx,
-  deny /sys/fs/c[^g]*/** wklx,
-  deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
-  deny /sys/kernel/security/** rwklx,
-}
-`
-
-func generateProfile(out io.Writer) error {
-	compiled, err := template.New("apparmor_profile").Parse(baseTemplate)
-	if err != nil {
-		return err
-	}
-	data := &data{
-		Name: "docker-default",
-	}
-	if tunablesExists() {
-		data.Imports = append(data.Imports, "#include <tunables/global>")
-	} else {
-		data.Imports = append(data.Imports, "@{PROC}=/proc/")
-	}
-	if abstractionsExists() {
-		data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
-	}
-	if err := compiled.Execute(out, data); err != nil {
-		return err
-	}
-	return nil
-}
-
-// check if the tunables/global exist
-func tunablesExists() bool {
-	_, err := os.Stat("/etc/apparmor.d/tunables/global")
-	return err == nil
-}
-
-// check if abstractions/base exist
-func abstractionsExists() bool {
-	_, err := os.Stat("/etc/apparmor.d/abstractions/base")
-	return err == nil
-}
diff --git a/apparmor/setup.go b/apparmor/setup.go
deleted file mode 100644
index 2df21268e..000000000
--- a/apparmor/setup.go
+++ /dev/null
@@ -1,46 +0,0 @@
-// +build linux
-
-package apparmor
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path"
-)
-
-const (
-	DefaultProfilePath = "/etc/apparmor.d/docker"
-)
-
-func InstallDefaultProfile() error {
-	if !IsEnabled() {
-		return nil
-	}
-
-	// Make sure /etc/apparmor.d exists
-	if err := os.MkdirAll(path.Dir(DefaultProfilePath), 0755); err != nil {
-		return err
-	}
-
-	f, err := os.OpenFile(DefaultProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return err
-	}
-	if err := generateProfile(f); err != nil {
-		f.Close()
-		return err
-	}
-	f.Close()
-
-	cmd := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker")
-	// to use the parser directly we have to make sure we are in the correct
-	// dir with the profile
-	cmd.Dir = "/etc/apparmor.d"
-
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("Error loading docker apparmor profile: %s (%s)", err, output)
-	}
-	return nil
-}